Are You Ready for GDPR? If You Answered, ‘What’s GDPR?’ Then the Answer Is Probably ‘No’

April 30, 2018 - Dan Wroblewski, Senior Web Developer

You’ve probably heard the term “GDPR” thrown around a lot lately, and you may have noticed a sudden increase in the number of emails you’ve received announcing updated privacy policies for the websites you visit regularly. It’s not a coincidence. Why is this happening?

(For the remainder of this blog post, you are required to read it out loud while pinching your nose closed, resulting in the nasally, nerdy voice needed for reading this post)

In May 2016, the European Union (EU) passed a privacy law called General Data Protection Regulation. Yep, you guess it: GDPR. The EU gave two years for companies to comply. The law will be enforced beginning May 25, 2018. So, if you’re like 99 percent of us, you didn’t hear about it at all until about a month ago as the global scramble to comply really got going. That, combined with the publicity of the Facebook Cambridge Analytica data breach, has put this topic in the spotlight. By the way, Facebook did exactly what all the other tech behemoths do. They just got caught. I’ll have a lot more on that mess in a future blog post. Back to GDPR.

In general, GDPR was written to protect people’s private data. So, if your website collects data from users, say, through an online form to subscribe to your monthly newsletter, then your website is collecting data. Therefore, you are required to tell people what data you’re gathering, why you’re gathering it and what you will do with it. GDPR also requires website owners to allow users to access their data and completely delete it if they choose.

Who Must Comply With GDPR?
“But wait — the GDPR is a European law. My website is in the good ol’ U.S. of A. This doesn’t affect me, right?”

Maybe right, but most likely wrong. Yes, the law is meant for users within the EU, but it also applies to the data of EU members on any website in the world. If your site is on the web and has a contact form, there’s a good chance it’s accessed by people in Europe. And if not, it is accessible to people in Europe, so it’s better to be prepared.

Despite popular belief, it turns out the internet is not an easily controlled “series of tubes” after all, but an intricate grid with millions of pathways with (really squeeze your nose for this) exabytes of data constantly travelling at the speed of light in all directions. Sounds simple to manage, right?

Tips for GDPR Compliance
Actually, it’s not as daunting as it sounds. It all comes down to respecting peoples’ privacy. Here are a few things GDPR wants you to remember:

• Tell users what data of theirs you have, why you have it and what you’re doing with it.
• Get clear and explicit consent to gather, keep and use their data
• Give users access to their data. Allow them to delete it from your database completely.
• Keep your users informed if you experience a data breach.

Now that you know what GDPR is trying to accomplish, here are some adjustments you need to make to be in compliance:

• Always get clear consent to gather user data and put into place an opt-in policy for your online forms. Don’t do anything with someone’s data until they explicitly agree to share their information with you. When a user fills out a form to receive something from you, send them an email asking them to confirm what they signed up for, what data you’ve collected to complete their request and what you’ll do with that data.

• Only ask for information you need. For email signups, do you really need to know their favorite color? Maybe you do, but be prepared to explain why.

• Designate someone on your staff to be responsible for maintaining the integrity and security of users’ data. Identify this person on your website.

• Update your privacy policy and terms of use pages on your website with information about how and why you use peoples’ data, and how they can access it.

GDPR is just a first step toward increasing privacy rights of online users. Even if your website doesn’t fit the requirements, and doesn’t need to comply right now, more policies will be coming.

The adjustments needed to comply with GDPR are just good business practice. You become more transparent to your users; they become more trusting in you.

(OK, you made it. You can let go of your nose now.)

That’s really just a quick overview. Here are some online resources with much more detailed information about GDPR: